问题
We were using stringstream to prepare select queries in C++. But we were strongly advised to use QUERY PARAMETERS to submit db2 sql queries to avoid using of stringstream. Can anyone share what exactly meant by query parameter in C++? Also, share some practical sample code snippets.
Appreciate the help in advance.
Edit: It is stringstream and not strstream.
Thanks, Mathew Liju
回答1:
I suspect this refers to parameterized queries in general, rather than constructing the query in a string, they supply sql variables (or parameters) and then pass those variables separately. These are much better for handling SQL Injection Attacks. To illustrate with an example:
"SELECT * FROM Customers WHERE CustomerId = " + _customerId;
Is bad, while this:
"SELECT * FROM Customers where CustomerId = @CustomerId"
is good. The catch is that you have to add the parameters to the query object (I don't know how this is done in C++.
References to other questions:
- https://stackoverflow.com/questions/1973/what-is-the-best-way-to-avoid-sql-injection-attacks
- Stored Procedures vs Parameterized Queries
Wild Wild Web:
- http://www.justsoftwaresolutions.co.uk/database/database-tip-use-parameterized-queries.html
回答2:
Sql query in parameterized query form is safe than string format to avoid sql injection attack. Example of parameterized query
StringBuilder sqlstr = new StringBuilder();
cmd.Parameters.AddWithValue("@companyid", CompanyID);
sqlstr.Append("SELECT evtconfigurationId, companyid,
configname, configimage FROM SCEVT_CONFIGURATIONS ");
sqlstr.Append("WHERE companyid=@companyid ");
Example of query string format
StringBuilder sqlstr = new StringBuilder();
sqlstr.Append("SELECT evtconfigurationId, companyid, configname,
configimage FROM SCEVT_CONFIGURATIONS ");
sqlstr.Append("WHERE companyid" + CompanyID);
来源:https://stackoverflow.com/questions/301008/what-is-a-query-parameter-in-c